Jump to content

I cant get rid of csrss


Go to solution Solved by Maurice Naggar,

Recommended Posts

@Badwolf15002   :welcome:

My name is Maurice.  Let me know what nickname you prefer.

Understand that there is a legitimate CSRSS by Windows so do not go deleting or changing things on your own.

OK  thanks for attaching the  file.   I will studay and get back to you.   Thanks

Amended.  The file provided above is a text-type report about a repair option with the Support tool.  It turned out it ( obviously) was not the ZIP that I need.

Edited by Maurice Naggar
re-amended
Link to post
Share on other sites

I need a report set for review.   This is a report only.

Please download MBST Support Tool

 

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

Link to post
Share on other sites

Just an FYI

I have tried to delete the csrss file many times. 
It shows up in \user\(Username)\appdata\local\temp\csrss\ and C: \Windows\rss\csrss.exe

But everytime i do it just reappears.
How i delete them is i restart Windows and hold down the Shift key and ender command prompt that way and move around and use the command: rmdir /s (directory)
I'v tried other methods but it all points to downloading MalwareBytes which for some reason refuses to install.
 

Link to post
Share on other sites

You and I are the only ones on this thread.  I get notified of all replies.  So there is no need to click the "QUOTE" when you do a reply.

By the way, stick with me until I give the all clear.  That is to say, this is not a one-shot & done.  We will be doing several passes.

Meantime, do not do any web surfing, nor online games.

.

As I mentioned before, kindly do not do any further attempts to get rid of stuff while I am guiding you on this case.  There are several things going on all at once.

There is a rogue "CSRSS"  plus it is also tied to a scheduled task.  PLUS

there is a rogue / bogus "windefender" which is not the legitimate MS Defender.   There are other suspects.

.

Here below is a custom run intended to quash the rogue CSRSS.  Please take time to read carefully & apply all directions below.

If you have a question, stop and ask me first.

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRSTENGLISH.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Badwolf15002  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. It is also intended to squash the rogue CSRSS  ( the 'bad' ones / the non-legitimate ones).

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder   

 

Fixlist.txt


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


We will do more after this.  Persistence & patience are called for here.

Stick with me because there will be more for later.

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks.  Good run / excellent actually.  Except there is more to do.   Even after this step below here.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

NOTE:  The "rogue" actually auto-placed exclusions in MS Defender to exclude several spots where the 'booger' was stored.  On the next round, I will have a secondary custom fix run for you.

We are not done.

Link to post
Share on other sites

We need to run one fix run while in SAFE mode of Windows
 
Please just only read this all the way down ...before you begin.   You may want to copy and Save these directions into a NOTEPAD file for later reference.
The custom script on this post is ONLY for this machine and NO other.   
Delete the old Fixlist.txt  on Downloads  that is there from before.
 
Then, Please Close / Exit any open work files   ( if you have any ongoing at this point).   Save any work.  Exit out of other open apps that you yourself started at this session.
This procedure will involve a Restart at the end of the run.


Save this script file named FIXLIST.txt  to  Downloads folder.
 Fixlist.txt
 
 
[   2   ]   NOW we need to Restart Windows into SAFE MODE  ( just SAFE mode)  . See this guide at Tenforums
https://www.tenforums.com/tutorials/2304-boot-into-safe-mode-windows-10-a.html
 
Now in SAFE mode of Windows.
Using File Explorer, go to   Downloads folder
RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 

IF Windows prompts you about running this, select YES to allow it to proceed.
 
Click on FIX button.
 
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
After the end of this run, Windows should be in normal mode.   There will be more to do after this.
 

Link to post
Share on other sites

Thank you. That run seems to have managed to fully remove the rogues that had been in some temp sub-folders & seems to have removed the exclusions out of the exceptions section of MS Defender.

That is hopefully good steps forward.  Now, since this machine had had those sorts of issues, we do additional new scans.

.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

Link to post
Share on other sites

  • Solution

Thanks. Very worthwhile run.  It found several  potentially unwanted application  ( PUA ) including a few coinminers.

Earlier, I believe you mentioned a attempt to install Malwarebytes for Windows ran into some hitch.   Lets try to do a new install of Malwarebytes for Windows.   After that is done, then do a scan.

[    A   ]

I'd suggest you save the download to the Desktop for ease of access.   Otherwise, save the file to Downloads folder.

1. Download the offline installer from : https://downloads.malwarebytes.com/file/mb4_offline
2. Now, go to the folder location where saved.     Right-click on the exe and select Run as Administrator and allow it to go forward.

[    B    ]

In Malwarebytes for Windows program, we want to do a special scan.
 Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.  Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top lin

e to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

If you were to read the whole report, you would see lots & lots of remarks  

 No Action By User

Please repeat the scan exactly as I stated above.  Making real sure that you do a REVIEW  after the scan phase & that you TICK  the top left check-box so that ALL is slected & removed.

Please make real sure to do that.

No telling just how your machine got messed up .....just that it is likely from some download or other that was recently done.

My best guess is that it was a Trickbot or similar malware.   Pretty serious since it had made auto-exclusions onto MS Defender antivirus so that it would not be caught.

Let me see the result from this Malwarebytes run.

Edited by Maurice Naggar
Link to post
Share on other sites

Thats's a lot better in that all items tagged were removed.

Threats Detected: 72
Threats Quarantined: 72

.

It's best to continue to do some other additional scans.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

That is a worthwhile cleanup too.  Now a pair of reports to check some statuses.  These are just reports.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[   2   ]

This is a different sort of report.  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.    😁

Link to post
Share on other sites

Each of those 2 provide some insights & details about selected things.  FSS on selected Windows services ( of the operating system). SecurityCheck about security software & whether some add-on apps are out of date as far as security patches.  Good thing we ran these since FSS points out that the Windows Update service is AWOL  ( something most likely knocked out by the former malware infection.   We will do a fix below).

[   A   ]

RIGHT click the link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to a folder ( do not double click / do not 'run' the file / nor open

Windows 10 Windows Update service

Once it is saved, then we are needing to merge the files onto the system, as follows

 

With you mouse, do a RIGHT-click on the file wuauserv.reg and select Merge

Let it do that & insure it finishes ok.

.

[  B   }

These are called to your attention because they deserve your review and action for updates !  Out of date apps can make infection easier for the bad actors.

Git version 2.29.2 v.2.29.2   Warning! Download Update
Microsoft 365 - en-us v.16.0.13029.20344 Warning! Download Update
How Install Office updates?

Oracle VM VirtualBox 6.1.22 v.6.1.22 Warning! Download Update

WinRAR 5.91 (64-bit) v.5.91.0   Warning! Download Update

GIMP 2.10.22 v.2.10.22 Warning! Download Update

Discord v.0.0.309    Warning! Download Update
Zoom v.5.7.4 (804)    Warning! Download Update

Java 8 Update 291 (64-bit) v.8.0.2910.10   Warning! Download Update
Uninstall old version and install new one (jre-8u301-windows-x64.exe).

VLC media player v.3.0.11   Warning! Download Update

Google Chrome v.92.0.4515.107   Warning! Download Update
Microsoft Edge v.91.0.864.48   Warning! Download Update

 

Stick with me.  We will do some beefing up of security for the web browsers on this machine.  But I also would like for you to make time & do a run today to Microsoft Windows Update to insure this OS build is fully up-to-date.

  1. Select the Start (Windows) button from the bottom-left corner.
  2. Go to settings (gear icon).
  3. Select the Update & Security icon
  4. Choose the Windows Update tab in the left sidebar (circular arrows) Click the Check for updates button
  5. Accept all cumulative updates and feature updates that are listed at the top.
Link to post
Share on other sites

Keeping the Windows operating system safe requires keeping up with all security updates from Microsoft Windows Update. On a regular basis. That's done by having the Windows Update service on. And monitoring on a regular basis.
The Microsoft August 2021 security updates cover 44 CVEs.  Of these CVEs, 7 are rated Critical and 37 are rated Important in severity. 
This machine needs to get & apply the     2021-08 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5005033)
Go to this link at the Microsoft Update Catalog.  It's the first item listed.  Download & save the file
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005033 windows 10 20h2 for x64

It is the first one listed at that link.

Download the file.  SAVE it to your system.

Then to actually apply that update.

While in File Explorer, go to that .MSU  file

Do a Right click with your mouse on the .msu  and then select OPEN.

That should start the update process for that KB.  Insure that it fully completes that run.
.
The run of the MIcrosoft MSRT tool is also an important thing to do.
Download & save MSRT from this link https://www.microsoft.com/en-us/download/details.aspx?id=9905  at Microsoft Download Center   Disregard the top part with what look like ads / promos. Scroll down & see the Download button
Be sure to first SAVE the file to the Downloads folder or else, to the DESKTOP
When download completed, do a RIGHT-click with the mouse pointer & choose RUN AS ADMINISTRATOR & allow it to go forward.
IF prompted about are you sure, Reply YES.
Next select QUICK scan.
If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software.
The Malicious Software Removal Tool scan log is located at: C:\Windows\Debug\mrt.log.
.

To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe


.
Then run that ( double click on it) to begin the cleanup process.

Delete mbst-grab-results.zip   on the desktop
Delete mb-support-1.8.4.896.exe   on Downloads
Delete esetonlinescanner.exe
Delete fss.exe
Delete securitycheck.exe
 

Any other download file I had you download, you may delete. 
,
No one else can get access to the files you uploaded who is not on the forum staff. There is no need to fret over the reports submitted.  Even so, I have set all those posts to be hidden.
.
Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

 

Stay safe.  I wish you all the best. 
I am marking this case for closure.

Edited by Maurice Naggar
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.